summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorQixue Xiao <s2exqx@gmail.com>2013-12-20 17:51:12 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-12-20 12:21:57 -0800
commit351d6204bfc814a1aee300296d2f54460ffff172 (patch)
tree8ee90f783108f35518c50fb9a43f2191e88e5a00
parent4903713cac8bd41b576e4e3eff3d54bd199a7737 (diff)
downloadlinux-stable-351d6204bfc814a1aee300296d2f54460ffff172.tar.gz
linux-stable-351d6204bfc814a1aee300296d2f54460ffff172.tar.bz2
linux-stable-351d6204bfc814a1aee300296d2f54460ffff172.zip
tty: an overflow of multiplication in drivers/tty/cyclades.c
there is an overflow in the code : cyz_polling_cycle = (arg * HZ) / 1000, the multiplicator arg comes from user, so it may be an overflow if arg is a big number. And the value of cyc_polling_cycle will be wrong when it is used next time. Reported-by: Qixue Xiao <xiaoqixue_1@163.com> Suggested-by: Yongjian Xu <xuyongjiande@gmail.com> Suggested-by: Yu Chen <chyyuu@gmail.com> Signed-off-by: Qixue Xiao <xiaoqixue_1@163.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/tty/cyclades.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c
index 33f83fee9fae..a57bb5ab761c 100644
--- a/drivers/tty/cyclades.c
+++ b/drivers/tty/cyclades.c
@@ -2709,6 +2709,8 @@ cy_ioctl(struct tty_struct *tty,
break;
#ifndef CONFIG_CYZ_INTR
case CYZSETPOLLCYCLE:
+ if (arg > LONG_MAX / HZ)
+ return -ENODEV;
cyz_polling_cycle = (arg * HZ) / 1000;
break;
case CYZGETPOLLCYCLE: